Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAR deleted some registry trojans; now I want to be sure I'm clean


  • Please log in to reply
11 replies to this topic

#1 fyrissian

fyrissian

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 08 January 2015 - 04:02 PM

Running Windows 8.1 on an HP Pavilion laptop. Just after Thanksgiving, my system started having boot problems (very slow to boot, often froze shortly after login).

 

I ran MalwareBytes' Anti Rootkit on it, which found and deleted some registry entries related to Trojan.Poweliks.b and Hijack.Trojan.Siredef.c.

 

That worked for a while, but a few days later it started flaking out again (freezing upon login). I turned off Superfetch and that seemed to help a great deal.

 

Now today, Google suddenly tells me I don't have permission to access the site. Time for a thorough cleaning. Please help me do so.

 

Edit: MalwareBytes and Kaspersky Internet Security both report a clean system.


Edited by fyrissian, 08 January 2015 - 04:03 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 PM

Posted 08 January 2015 - 04:16 PM

The problem with Poweliks is that it has the ability to download more malicious files so systems risk being infected by other malware, causing a more damaging infection and compromising security...see What is Poweliks?.

Let's start by ensuring it was properly removed.

If you are having trouble downloading files with Internet Explorer, follow these instructions to re-enable downloads/reset all Security zones to default.

Please download ESETPoweliksCleaner and save it to your Desktop logo.png
  • Double-click on ESETPoweliksCleaner.exe to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
    .
    1.png
    .
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed.
  • If Poweliks was not detected "Win32/Poweliks not found" will be displayed.
  • Press any key to exit the tool and reboot your computer.
    .
    2.png
    .
  • The tool will produce a log in the same directory the tool was run from.
  • Copy and paste the contents of that log in your next reply.
Note: If the log is too long...you may need to split it and use multiple replies in order to post all the information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 fyrissian

fyrissian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 08 January 2015 - 04:26 PM

Sorry, I forgot to mention *64-bit* Windows 8.1. The link was for 32-bit version which won't run on 64-bit Windows (according to the log file).

 

[2015.01.08 15:35:01.470] - Begin
[2015.01.08 15:35:01.470] -
[2015.01.08 15:35:01.470] -     ....................................
[2015.01.08 15:35:01.471] -   ..::::::::::::::::::....................
[2015.01.08 15:35:01.471] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Poweliks
[2015.01.08 15:35:01.473] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 1.0.0.1
[2015.01.08 15:35:01.473] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: Oct 15 2014
[2015.01.08 15:35:01.474] -  .::EE:::::::::::::SS:.EE..........TT......
[2015.01.08 15:35:01.475] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2015.01.08 15:35:01.475] -   ..::::::::::::::::::....................    1992-2013. All rights reserved.
[2015.01.08 15:35:01.476] -     ....................................
[2015.01.08 15:35:01.476] -
[2015.01.08 15:35:01.476] - --------------------------------------------------------------------------------
[2015.01.08 15:35:01.476] -
[2015.01.08 15:35:01.476] - INFO: OS: 6.3.9600 SP0
[2015.01.08 15:35:01.477] - INFO: Product Type: Workstation
[2015.01.08 15:35:01.477] - INFO: WoW64: True
[2015.01.08 15:35:01.477] - INFO: Machine guid: 6CDB7ED5-0A36-4C6D-9409-D9382E933EF6

[2015.01.08 15:35:01.477] -
[2015.01.08 15:35:01.477] - ERROR: Sorry but this Windows version is not supported!
[2015.01.08 15:35:01.477] - End
 

 

Note that I have re-scanned the system using MalwareBytes AntiRootKit and the latest defs, and it reports a clean system.


Edited by fyrissian, 08 January 2015 - 04:37 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 PM

Posted 08 January 2015 - 04:33 PM

ESET Poweliks Cleaner works on 64-bit windows....that is the only version ESET has listed on their "How do I remove a Poweliks infection" guide. I never used it on Windows 8.1 so I cannot confirm if there is a problem on that OS other than what you advise the log said.

Please download RKill by Grinler and save it to your desktop.
  • Double-click on the Rkill desktop icon to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log file will be created and saved to the root directory, C:\RKill.log
  • Copy and paste the contents of RKill.log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 fyrissian

fyrissian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 08 January 2015 - 04:51 PM

Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/08/2015 03:48:50 PM in x64 mode. (Safe Mode)
Windows Version: Windows 8.1 Pro with Media Center

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * gpsvc => %windir%\system32\svchost.exe -k GPSvcGroup [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 01/08/2015 03:48:58 PM
Execution time: 0 hours(s), 0 minute(s), and 8 seconds(s)
 



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 PM

Posted 08 January 2015 - 04:55 PM


Please download and scan with Emsisoft Anti-Malware 30 day trial version.
  • Double-click on the EmsisoftAntiMalwareSetup.exe icon to install.
  • If the setup program displays an alert about safe mode, please click on the Yes button to continue.
  • Agree to the license agreement and click on the Install button to continue with the installation.
  • You will get to a screen asking what type of license you wish to use with Emsisoft Anti-Malware.
    .
    If you have an existing license key or want to buy a new license key, please select the appropriate option. Otherwise, select the Freeware or Test for 30 days, free option. If you receive an alert after clicking this button that your trial has expired, just click on the Yes button to enter freeware mode, which still allows the cleaning of infections.
    .
  • Emsisoft Anti-Malware will now begin to update it's virus detections.
  • When the updates are completed, select Enable PUPs Detection.
  • Select the Full Scan option to begin scanning your computer for infections.
    scan-selection.jpg
    .
  • When the scan has finished, the program will display the scan results that shows what infections where found.
  • Click on the Quarantine Selected button, which will remove the infections and place them in the program's quarantine.
    scan-results.jpg
    .
  • If Emsisoft prompts you to reboot your computer to finish the clean up process, please allow it to do so.
  • When finished, click Logs > Scan at the top to view the Scan log which is listed by date.
  • Highlight the log by clicking on it, then click View details to open it in Notepad. The logfile will be named in the following format: a2scan_Date-Time.txt (YYMODY)
  • Alternatively you can click Export and save the log to your Desktop, then open it by double-clicking on it.
  • Copy and paste the contents of that logfile in your next reply.
Scan logs are automatically saved to the following location:
-- XP: C:\Documents and Settings\All Users\Application Data\Emsisoft\Reports\a2scan_Date-Time.txt (YYMODY)
-- Vista, Windows 7/8: C:\ProgramData\Emsisoft\Reports\a2scan_Date-Time.txt (YYMODY)


Note: By default Emsisoft Anti-Malware installs as a free fully functional 30-day trial version with real-time protection. After the trial period expires you can either choose to buy a full version license or continue to use it in limited freeware mode which still allows you to scan and clean infections. The freeware mode no longer provides any real-time protection to guard against new infections. However, even if the trial is still enabled, you can easily turn off all real time protection and just have it running as on-demand scanner only. After the trial period expires nothing really changes except that the options to activate real-time protection are no longer available without purchasing the full version.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 fyrissian

fyrissian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 09 January 2015 - 10:27 AM

First scan froze some way in, after finding some items. I stopped it and quarantined those items. Here's that report.

 

Emsisoft Anti-Malware - Version 9.0
Last update: 1/8/2015 4:36:52 PM
User account: Siluria\KevAdmin

Scan settings:

Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, D:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    1/8/2015 5:03:54 PM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO.1     detected: Application.AdReg (A)
Value: HKEY_USERS\S-1-5-21-512425073-2598007518-2716158409-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-512425073-2598007518-2716158409-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)

Scanned    58335
Found    4

Scan end:    1/8/2015 5:16:52 PM
Scan time:    0:12:58

Value: HKEY_USERS\S-1-5-21-512425073-2598007518-2716158409-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS    Quarantined Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-512425073-2598007518-2716158409-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR    Quarantined Setting.DisableTaskMgr (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO.1    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO    Quarantined Application.AdReg (A)

Quarantined    4
 

Scanned again, this time it completed (after several hours). Here's THAT report.

 

 

Emsisoft Anti-Malware - Version 9.0
Last update: 1/8/2015 10:39:57 PM
User account: Siluria\KevAdmin

Scan settings:

Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, D:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    1/8/2015 10:46:37 PM

Scanned    1340831
Found    0

Scan end:    1/9/2015 6:12:26 AM
Scan time:    7:25:49
 



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 PM

Posted 09 January 2015 - 10:31 AM

Looks good.

Nothing of significant concern showing in your log(s)...and no obvious signs of a major malware infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 fyrissian

fyrissian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 09 January 2015 - 10:50 AM

I am still getting the occasional "this site is not trusted" message when I try to use any google site. Rebooting usually fixes it. Any idea why that's going on?



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 PM

Posted 09 January 2015 - 12:00 PM

What browser are you using?


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 fyrissian

fyrissian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 09 January 2015 - 12:02 PM

Almost entirely Firefox, Internet Explorer occasionally. I keep both regularly updated with latest patches.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 PM

Posted 09 January 2015 - 01:41 PM

It would be helpful if you could create and post a screenshot the next time this happens.All security warnings do not necessarily indicate a potential threat. Typically when Firefox says it does not trust a site, it is indicating that it found a problem with the site’s certificate.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users